snow-editor

small markdown and org-mode editor
Log | Files | Refs | README

originGuard.js (1401B)

      1 import { MSG } from './messages.js';
      2 import { sendError } from './utils.js';
      3 
      4 const DEFAULT_ORIGINS = [
      5   'http://localhost:41737',
      6   'http://127.0.0.1:41737',
      7 ];
      8 
      9 let allowedOrigins = [...DEFAULT_ORIGINS];
     10 
     11 export function parseAllowedOrigins(value) {
     12   if (!value || value.trim() === '') {
     13     return [...DEFAULT_ORIGINS];
     14   }
     15   return value
     16     .split(',')
     17     .map((origin) => origin.trim())
     18     .filter(Boolean);
     19 }
     20 
     21 export function setAllowedOrigins(origins) {
     22   allowedOrigins = origins.length > 0 ? origins : [...DEFAULT_ORIGINS];
     23 }
     24 
     25 export function getAllowedOrigins() {
     26   return allowedOrigins;
     27 }
     28 
     29 function normalizeOrigin(urlString) {
     30   try {
     31     const url = new URL(urlString);
     32     return `${url.protocol}//${url.host}`;
     33   } catch {
     34     return null;
     35   }
     36 }
     37 
     38 function resolveRequestOrigin(req) {
     39   const origin = req.headers.origin;
     40   if (origin) {
     41     return normalizeOrigin(origin);
     42   }
     43 
     44   const referer = req.headers.referer;
     45   if (referer) {
     46     return normalizeOrigin(referer);
     47   }
     48 
     49   return null;
     50 }
     51 
     52 export function requireAllowedOrigin(req, res, next) {
     53   const requestOrigin = resolveRequestOrigin(req);
     54 
     55   if (!requestOrigin || !allowedOrigins.includes(requestOrigin)) {
     56     console.warn(
     57       `[origin-guard] blocked POST /documents origin=${requestOrigin ?? 'missing'}`,
     58     );
     59     return sendError(res, 403, 'ORIGIN_NOT_ALLOWED', MSG.ORIGIN_NOT_ALLOWED);
     60   }
     61 
     62   return next();
     63 }